Interpreting a jpeg image as a php script

Question

I am solving some web hacking challenges from natas overthewire. In level 12, I have to upload an image on the server and then the server gives me the precise link where it got the image uploaded. I exploit this by writing a simple php script echoing the contents of the password. This works because I can upload it as a .php file and the server also stores it in that format. In level 13, similar challenge is presented but here the server check if it is an image file by calling the function exif_imagetype(). I just modify an existing image file in notepad and insert my script at the end.

My question is if the server simply checked the extension of the file and rejected if the file was not .jpg extension, it would be better because in that case even if I uploaded a script it would never get executed by the server as it would be interpreted as an image file and php server would never parse the file. So why use such a function as exif_imagetype() ?

Answer 1

Validating a true image is always better than examining the file extension. Unless the extension checker is particularly complex, it will likely look for the last . in the filename, and assess what follows.

For example, this might be an example of a rudimentary extension checker:

$extension = end( explode('.', $_FILES['my_file']['name'] );
// or:
$extension = strrchr($_FILES['file']['name'], '.');  

That's all well and good, and indeed performs perfectly well for file names such as myfile.jpg , malicious.php , etc.

However, this can be easily spoofed by an unscrupulous user with a variety of hacks. The most difficult to circumvent is the infamous NULL byte injection:

shell.php%0delete0.jpg

You can learn more about null-byte injection here .